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(54) Closed system virtual postage meter 

(57) A system and method for evidencing postage 
on a mailpiece includes a printer module (30) transmit- 
ting to a remote data center (20) a request for indicia 
data. The data center (20) includes a processor(24), a 
database (22) and a secure coprocessor (26). The da- 
tabase (22) includes user account data. The request in- 
cludes postal value for a selected number of indicia to 
be printed by the printer module (30). The data center 
(20) verifies that the printer module (30) is authorized to 
request the postal value and retrieves user account data 
stored in the database (22). The data center (20) verifies 
the user's account data includes sufficient funds for the 
number of indicia requested, debits the user's account 
data for the total postal value requested and then gen- 
erates a digital token for each of the indicia. The digital 
token is generated from information relating to each of 
the indicia including information unique to each of the 
indicia. The data center (20) transmits to the printer 
module (30) the requested indicia data including postal 
value and digital token for each of the indicia. The printer 
module (30) print the received indicia.: 
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Description 

[0001] The present invention relates generally to a 
postage metering system and method for printing post- 
age indicia and, more particularly, to a postage metering 
system and method for printing postage indicia using 
digital printers. 

[0002] The present application is related to the follow- 
ing European Patent Application Nos. (Client Ref.: E- 
647, E-648, E-649 and E-696), (Attorney Ref.: 76 395, 
76 396 : 76 356 and 76 398) all filed concurrently here- 
with and assigned to the assignee of the present inven- 
tion. 

[0003] Postage metering systems have been devel- 
oped which employ encrypted information printed on a 
mailpiece as evidence of postage that can be authenti- 
cated. Generally, the encrypted information includes 
postage value for the mailpiece and other information, 
which is printed in an indicium of a mailpiece. The en- 
crypted information, which is commonly referred to as a 
digital signature or digital token, is used to authenticate 
the information imprinted on a mailpiece including postal 
value. As a result of the digital token incorporating such 
information printed in the indicium, altering the printed 
information in the indicium is detectable by standard ver- 
ification procedures. Examples of systems for generat- 
ing and using digital tokens are described in U.S. Patent 
No. 4,757,537 for SYSTEM FOR DETECTING UNAC- 
COUNTED FOR PRINTING IN A VALUE PRINTING 
SYSTEM; U.S. Patent No. 4,631 .555 for UNSECURED 
POSTAGE APPLYING SYSTEM; U.S. Patent No. 
4,775,246 for SYSTEM FOR DETECTING UNAC- 
COUNTED FOR PRINTING IN A VALUE PRINTING 
SYSTEM; U.S. Patent No. 4,873,645 for SECURE 
POSTAGE DISPENSING SYSTEM; and, U.S. Patent 
No. 4,725,71 8 for POSTAGE AND MAILING INFORMA- 
TION APPLYI NG SYSTE M, all assigned to the assignee 
of the present invention. 

[0004] Presentty, postage metering systems are rec- 
ognized as either closed or open system devices. In a 
closed system device, the system functionality is solely 
dedicated to metering activity. Examples of closed sys- 
tem metering devices include conventional digital and 
analog postage meters wherein a dedicated printer is 
securely coupled to a metering or accounting function. 
In a closed system device, since the printer is securely 
coupled and dedicated to the meter, printing cannot take 
place without accounting. In an open system device, the 
printer is not dedicated to the metering activity. This 
frees the system functionality for multiple and diverse 
uses in addition to the metering activity Examples of 
open system metering devices include personal compu- 
ter (PC) based devices with single/multitasking operat- 
ing systems, multi-user applications and digital printers. 
An open system metering device includes a non-dedi- 
cated printer that is not securely coupled to a secure 
accounting module. 

[0005] Since Conventional mechanical and electronic 



postage meters have heretofore secured the link be- 
tween printing and accounting, the integrity of the phys- 
ical meter box has been monitored by periodic inspec- 
tions of the meters. Digital printing postage meters, 

5 which are closed system postage meters, typically in- 
clude a digital printer coupled to a metering (accounting) 
device, which is referred to herein as a postal security 
device (PSD). Digital printing postage meters, while still 
enclosing the accounting and printing mechanisms with- 

10 jn a physical meter box, have removed the need for 
physical inspection by cryptograph ica I ly securing the 
link between the accounting and printing mechanisms. 
In essence, new digital printing postage meters create 
a secure point to point communication link between the 

is accounting unit and printhead. See, for example, U.S. 
Patent No. 4,802,218, issued to Christopher B. Wright 
et al and now assigned to the assignee of the present 
invention. Examples of a conventional digital metering 
system are Post Perfect™ and Personal Post Office™ 

20 meters manufactured by Pitney Bowes Inc. of Stamford, 
Connecticut. 

[0006] One version of an open metering system, re- 
ferred to herein as a "Virtual Meter", includes a Host PC 
without a PSD coupled thereto. The Host PC runs client 

25 metering applications, but all PSD functions are per- 
formed at a Data Center. The PSD functions at the Data 
Center may be performed in a secure device attached 
to a computer at the Data Center, or may be performed 
in the computer itself. The Host PC must connect with 

30 the Data Center to process transactions such as post- 
age dispensing, meter registration, or meter refills. 
Transactions are requested by the Host PC and sent to 
the Data Center for remote processing. The transac- 
tions are processed centrally at the Data Center and the 

35 results are returned to the Host PC. Accounting for funds 
and transaction processing are centralized at the Data 
Center. See, for example, U.S. Patent No. 5,454 : 038, 
which is assigned to the assignee of the present inven- 
tion. The security for an open system virtual meter is 

40 based on addressee information being included in the 
encrypted information, i.e. digital token, printed in the 
indicium. The verification of an open system indicium 
includes scanning the addressee information printed on 
the mailpiece and using scanned addressee information 

45 to recreate the digital token. Thus, for open systems it 
is necessary to include addressing in the encrypted in- 
formation to discourage the printing of multiple copies 
of a valid indicium which would be easy to do on a PC- 
based system. Heretofore, closed systems have not 

50 been considered suitable for a virtual meter configura- 
tion since closed systems do not include addressee in- 
formation. 

[0007] It has been found that a closed system virtual 
metering system can be implemented wherein a digital 
55 printer, such as a mailing machine or label printer, can 
communicate with the Data Center to obtain evidence 
of postage payment. The security for such a closed vir- 
tual metering system is achieved by cryptograph ica I ly 
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coupling the printing of postage with accounting to en- 
sure that multiple copies of an indicium are not printed. 
Security may alternately be achieved by the logging of 
each transaction, preferably at the Data Center. It has 
been found that the logging of each transaction and a 
verification process by the Post allows an unsecure 
printer to be used in the closed virtual metering system. 
[0008] The closed virtual metering system is config- 
ured with authorized indicium printers obtaining postage 
value from a PSD that is remotely located at the Data 
Center, fn the preferred embodiment, modems or inter- 
net connections for accessing the Data Center are lo- 
cated in the digital printer or in an interface module con- 
nected thereto. 

[0009] It has been found that there are several bene- 
fits to a closed system virtual meter in accordance with 
the present invention. Funds are not are stored at a us- 
er's site reducing the risk of unauthorized modification 
of accounting balances. There is a database record of 
every mail piece which means that verification will be 
improved since all valid pieces are known. Also, a low 
cost device can be used without the need to include des- 
tination address as in open systems meters. (This is 
made possible by the secure/dedicated printer link.) 
Furthermore, the present invention enables the Post to 
know the volume of mail to be processed prior to receipt 
of physical mail pieces. There will be more customer da- 
ta available (e.g. when they usually mail, how much mait 
per day, average postage amount) which will enable the 
Post to predict mail handling patterns. Finally, users 
have the option to pay as they go which contrasts 
present systems in which funds must be on deposit prior 
to being downloaded to a meter even though such 
downloaded funds may remain in the meter for weeks 
before being used. 

[001 0] There are additional benefits that are realized 
from the present invention. One such benefit relates to 
the postal regulations requiring that the postage printed 
on a metered mailpiece must be obtained from a meter 
licensed from the local post office at which the mailpiece 
is deposited for mailing, commonly referred to as "origin 
of deposit" or "domain". In addition, all postal revenues 
obtained from meter use must be transferred to the li- 
censing Post Office. With an indicium printer accessing 
a PSD at the Data Center, a user having indicium print- 
ers located at a plurality of locations does not need a 
separate PSD for each location to conform to such post- 
al regulations. Furthermore, a user of a closed virtual 
metering system located in Shelton, Connecticut may 
be want to deposit its mailpieces in a Post Office at dif- 
ferent origins of deposit, such as Stamford, Connecticut. 
The present invention provides each user of the closed 
virtual metering system with access to a PSD having dif- 
ferent origins of deposit. 

[0011] Another benefit of the present invention is that 
mailpiece generation does not have to be interrupted 
because of PSD funds limitation. 

[0012] The present invention provides a system and 



method for evidencing postage on a mailpiece which in- 
cludes a printer module transmitting to a remote data 
center a request for indicia data. The data center in- 
cludes a processor, a database and a secure coproces- 
s sor. The database includes user account data. The re- 
quest includes postal value for a selected number of in- 
dicia to be printed by the printer module. The data center 
verifies that the printer module is authorized to request 
the postal value and retrieves user account data stored 
io in a database. The data center verifies the user's ac- 
count data includes sufficient funds for the number of 
indicia requested, debits the user's account data for the 
total postal value requested and then generates a digital 
token for each of the indicia. The digital token is gener- 
is ated from information relating to each of the indicia in- 
cluding information unique to each of the indicia. The 
data center transmits to the printer module the request- 
ed indicia data including postal value and digital token 
for each of the indicia. The printer module prints the re- 
20 ceived indicia. 

[0013] The above and other objects and advantages 
of the present invention will be apparent upon consider- 
ation of the following detailed description, taken in con- 
junction with accompanying drawings, in which like ref- 
25 erence characters refer to like parts throughout, and in 
which: - 

Fig. 1 is a block diagram of a closed virtual metering 
system with indicium printer in communication with 

30 a Data Center in accordance with the preferred em- 
bodiment of the present invention; 
Fig. 2 is a flow chart of the printer operation in the 
closed virtual metering system of Fig. 1: and 
Fig. 3 is a flow chart of the data center operation in 

35 the closed virtual metering system of Fig. 1 . 

[0014] In describing the present invention, reference 
is made to the drawings, wherein there is seen in Fig. 1 
a block diagram of a closed virtual metering system, 

40 generally designated 1 0, including a Data Center 20 and 
an indicia printer module 30. Data Center 20 includes a 
database 22, a server 24, a secure coprocessor 26 and 
a firewall 28. Database 22 is used to store customer ac- 
count data, such as account balance and credit card 

45 number, and other customer information, such as a tel- 
ephone number. Also stored in the database is informa- 
tion corresponding to printer 30, such as piece count, 
encrypted keys for token generation and authentication 
and a transaction log of transactions processed by the 

50 Data Center. Server 24 processes all transactions at the 
Data Center. Secure coprocessor 26 performs crypto- 
graphic operations at the Data Center, such as token 
generation. In an alternate embodiment, these crypto- 
graphic operations may be performed by the server 24. 

55 However, this is a less secure implementation. The fire- 
wall 28 is the a conventional first line of defense against 
unauthorized access to server 

[0015] Indicia printer module 30 includes a modem 



3 



BNSDOCID: <EP 0927963A2_I_> 



EP 0 927 963 A2 



32, which operates as a communication interface be- 
tween indicia printer 30 and Data Center 20, a printer 
34, a control unit 36 and a user interface 38. In the pre- 
ferred embodiment Printer 34 is a label printer. In an al- 
ternate embodiment, printer 34 may print directly on en- 
velopes or meter tape as other digital printing means. 
Control unit 36 which contains a microprocessor, mem- 
ory means and non-volatile storage, controls all ma- 
chine operations, including communication with the Da- 
ta Center, user interface and printing functions. The user 
interface 38 includes a keypad and display for user input 
and status messages. 

[0016] The printer may be unsecured or may be se- 
curely coupled as described in European Patent Appli- 
cation No. 98109736.3, filed May 26, 1998, entitled 
SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS 
BETWEEN TWO MODULES OF A DISTRIBUTED 
SYSTEM and assigned to the assignee of the present 
invention, or in U.S. Patent No. 4,802,218, issued to 
Christopher B. Wright et al and now assigned to the as- 
signee of the present invention. 

[001 7] It has been found that the printer may be a con- 
ventional mailing machine, such as Paragon™, manu- 
factured by Pitney Bowes of Stamford, Connecticut, or 
may be a printer dedicated to printing some type of in- 
dicium, for example a label printer. 
[0018] Referring now to Fig. 2, printer module 30 op- 
eration is described. At step 100, a user selects a post- 
age amount and a number of indicia to be printed. In 
accordance with the described embodiment of the 
present invention, requests for multiple indicia, for ex- 
ample 5 indicia at $0.32 each, are sent at the same time 
to reduce the costs of establishing separate connections 
to the Data Center for each indicium. At step 105, the 
printer module 32 calls the Data Center. Although mo- 
dem 30 is shown in Fig. 1 , it will be understood that any 
conventional connection method, such as internet or R/ 
F, is suitable. At step 110, the printer module 30 mutually 
authenticates with the Data Center, for example as set 
forth above. When the connection to the Data Center is 
established, the printer module 30 identifies itself by its 
serial number. This allows the Data Center to obtain us- 
er information and printer specific information, such as 
printer token keys. In the preferred embodiment, the 
printer module 30 has a unique key to authenticate itself 
to the data center However, a single key or limited set 
of keys may be used for all printers. If the authentication 
is successful, at step 115, then, at step 120, the printer 
module 30 requests indicia data from Data Center. This 
request may include postal information, such as postal 
amount, weight and a unique piece identifier. If the au- 
thentication is not successful, then an error is reported. 
As noted previously multiple requests for indicia may 
be sent at once. In the preferred embodiment, Indicia 
data, which is for a closed system indicia, includes piece 
count, postage amount, origin zip, printer identification, 
date, digital tokens and check digits. Using such indicia 
data in the generation of tokens for each indicium allows 



the Post to verify each indicium using only a limited set 
of data, the set of meters token keys. In an alternate 
embodiment, I ndicia data may simply be an indicium se- 
rial number (digitally signed or not signed). This indicium 

5 serial number may be assigned by the Data Center or 
may be the unique piece identifier sent in the request by 
the printer module Since all the indicia that are being 
issued are known at the Data Center, this information 
can be sent to the Post. The Post can then use this data 

10 to verify all mail pieces that appear in the mail stream. 
This method requires that the Post maintain a database 
for every mail piece produced. However, this method 
could also be used for a post billing arrangement. 
[0019] At step 120, if a timeout occurs before a re- 

is sponse is received from the Data Center, an error is re- 
ported. When a response is received, at step 1 30, then 
the printer module 30 acknowledges the response, at 
step 135. If, at step 140, postage is not included in the 
response from the Data Center an error is reported. If 

20 postage is included, then, at step 145. the printer mod- . 
ule 30 formats the indicia for printing. In the preferred 
embodiment, all indicia are formatted at once and then 
printed. However, they could be formatted and printed 
one at a time. At step 1 50, the printer module 30 prints 

25 the indicia. 

[0020] Referring now to Fig. 3, the Data Center 20 op- 
eration is described. At step 200, the Data Center 20 
monitors incoming calls. When a call is received then, 
at step 205, the Data Center 20 mutually authenticates 

30 with the printer module 30. The printer module 30 iden- 
tifies itself by its serial number which allows the data 
center to look up user information and printer specific 
information, such as printer token keys. Conventional 
caller ID may also be used as an authentication mech- 

35 anism. If, at step 21 0, the authentication is unsuccessful 
an error is reported. If successful, then, at step 21 5, user 
data, such as account balance, available credit line, 
credit card number (depending on the user's desired 
payment method) is retrieved from database 22. At step 

40 220, the Data Center 20 begins the process for author- 
izing payment by the user. The Data Center 20 checks 
if sufficient funds are available, for example, in the user's 
account or credit line or if the user is authorized credit 
card transaction. At step 225, if authorization is u'nsuc- 

45 cessful an error is reported. If successful, then, at step 
230, the Data Center 20 commits payment by debiting 
the user's account or completing a credit card transac- 
tion. At step 235, encrypted keys are retrieved from da- 
tabase 22. In the preferred embodiment, token keys are 

so used to generate digital tokens that are unique to each 
printer module 30. To enhance security, the token keys 
are stored encrypted and may only be decrypted by the 
secure coprocessor 26. At step 240, the Data Center 20 
sends the request from printer module 30 and the en- 

55 crypted key to secure coprocessor 26. At step 245, the 
secure coprocessor 26 decrypts the encrypted key and 
uses the decrypted key to generate tokens in response 
to the request. The use of separate tokens for each in- 
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dicium allows the Post to verify each mailpiece without 
a database of all mailpieces. Alternatively, a mailpiece 
serial number could be issued (as described for Fig. 2) 
and the Post could check an individual mailpiece against 
the database for verification purposes. In this case, the 
mailpiece serial number would probably be digitally 
signed in order to discourage the printing of random se- 
rial numbers by attackers. 

[0021] At step 250, the Data Center 20 logs the trans- 
action. The logged data could also be sent to the Post 
in real time to facilitate more extensive verification 
wherein each mailpiece could be checked against a list 
of valid mailpieces. At step 255, if more. indicia have 
been requested, the process repeats steps 240 through 
250. As previously noted, requests for multiple indicia 
are sent at the same time to reduce the cost of estab- 
lishing separate connections to the Data Center for each 
indicium. If not, then at step 260, the Data Center 20 
sends the indicia data to the printer module 30 In the 
preferred embodiment, the indicia data is for a closed 
system indicia and includes piece count, postage 
amount, origin zip, printer identification, date, digital to- 
kens and check digits. Such data allows the Post to ver- 
ify each indicium using only a limited set of data, i.e., 
the set of meters token keys. In an alternate embodi- 
ment, the indicia data may simply be an indicium serial 
number (digitally signed or not signed). Since all the in- 
dicia that are being issued are known at the Data Center, 
this information can be sent to the Post, which can then 
use this data to verify all mailpieces that appear in the 
mail stream. As previously noted, this alternate method, 
which may be used for post billing, requires that the Post 
maintain a database for every mailpiece produced. At 
step 265, if an acknowledgment is not received from 
printer module 30 an error is reported. If received, then, 
at step 270 the call is disconnected. 
[0022] It will be understood that although the embod- 
iments of the present invention are described as post- 
age metering systems, the present invention is applica- 
ble to any value metering system that includes transac- 
tion evidencing, such as monetary transactions, item 
transactions and information transactions. While the 
present invention has been disclosed and described 
with reference to a single embodiment thereof, it will be 
apparent, as noted above, that variations and modifica- 
tions may be made therein. It is, thus, intended in the 
following claims to cover each variation and modification 
that falls within the true spirit and scope of the present 
invention. 

[0023] Personal Post Office and PostPerfect are 
trademarks of Pitney Bowes Inc. 



transmitting (120) from a printer module (30) to 
a data center (20) a request for indicia data, in- 
cluding postal value for a selected number of 
indicia to be printed by the printer module; 
5 ve rify ing ( 1 1 0) at the data center that the printer 

module is authorized to request the postal val- 
ue; 

retrieving (215) at the data center (20) user ac- 
count data stored in a database; 

10 authorizing (220) the request for indicia data 

based on information in the user account data; 
accounting (230) at the data center for the post- 
al value for the selected number of indicia; 
generating (245) a unique identifier for each of 

'5 the indicia; 

transmitting (260) from the data center (20) the 
requested indicia data including postal value 
and the unique identifier for each of the indicia; 
and 

20 printing (150) the indicia at the printer module. 

2. The method of claim 1 wherein the step of author- 
izing the request includes the steps of: 

2S verifying (215, 220) the user's account data in- 

cludes sufficient funds for the number of indicia 
requested; and 

debiting (230) the user's account data for the 
total postal value requested. " 

30 

3. The method of claim 1 or 2 wherein the indicia data 
further includes piece count, origin zip, printer iden- 
tification, date, and check digits. 

35 4. The method of claim 1 , 2 or 3 including the further 
steps of: 

logging (250) transaction information relating 
to each digital token generated and transmitted to 
the printer module (30). 

40 

5. The method of any one of the preceding claims, in- 
cluding the further steps of: 

selecting (100) at the printer module (30) a 
45 number of indicia and the postal value for each 

of the indicia to be included in the request; 
initiating (105) at the printer module (30) com- 
munications with the data center (20); and 
disconnecting (270) the communications when 
so the requested indicia data has been received 

by the printer module (30). 



Claims 



A method for evidencing postage on a mailpiece 
comprising the steps of: 



6. The method of any one of the preceding claims 
wherein the unique identifier is a digital token gen- 

55 e rated at the data center. 

7. The method of any one of the preceding claims 
wherein the unique identifier is an indicium serial 
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number generated at the data center. 

8. The method of any one of claims 1 to 5 wherein the 
unique identifier is an indicium serial number gen- 
erated at the printer module and sent to the data 
center as part of the request for indicia data. 

9. A postage metering system comprising: 

a printer module (30) including a user interface 
(38) and a processor (36); 
a data center (20) located remotely from the 
printer module (30); said data center (20) in- 
cluding a processor (24), and a database (22), 
said database including user account informa- 
tion; 

means (28, 32) for establishing communication 
between the printer module and the data center 
wherein the printer module (30) is operable to 
request indicia data, including digital tokens, 
from the data center and the printer is operable 
to print indicia, including the digital tokens, on 
mailpieces when the requested indicia data is 
received from the data center (20). 



10 



15 



2Q 



printer module (30); said data center (20) in- 
cluding a processor (24) and a database (22), 
said database including user account informa- 
tion: 

means (28, 32) for establishing communication 
between the printer module .(30) and the data 
center (20) wherein the printer module is oper- 
able to request transaction evidencing data, in- 
cluding digital tokens, from the data center and 
the printer is operable to print the transaction 
evidence on documents when received from 
the data center. 



10. The system of claim 9 wherein the data center (20) 
is operable to obtain some of the indicia data, in- 
cluding piece count, origin zip and printer identifica- 
tion from the database and to generate the digital 
token at the secure coprocessor 



30 



11. The system of claim 9 or 1 0 wherein the digital token 
is generated using token keys stored in the data- 
base. 

1 2. The system of any one of claims 9 to 1 1 wherein the 
request for indicia data includes a number of indicia 
and a postal value for each of the indicia. 



13. The system of claim 12 wherein the data center is 
operable to verify the user's account information in- 
cludes^ sufficient funds for the number of indicia re- 
quested and to debit the user's account information 
for the total postal value requested. 

14. The system of any one of claims 9 to 13 wherein 
the data center is operable to verify that the printer 
module is authorized to request the indicia data. 



40 



45 



15. The system of any one of claims 9 to 14 wherein 
the means for establishing communication includes 
a modem (32). 



so 



16. A transaction evidencing system comprising: 

a printer module (30) including a user interlace 

(38) and a processor (36); 

a data center (20) located remotely from the 



55 
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